Figure 1. Global distribution of affected devicesGodless is reminiscent of an exploit kit, in that it uses an open-source rooting framework called android-rooting-tools. The said framework has various exploits in its arsenal that can be used to root various Android-based devices. The two most prominent vulnerabilities targeted by this kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the Towelroot exploit). The remaining exploits are deprecated and relatively unknown even in the security community. In addition, with root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices. This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users. Rooting Goes From Local to Remote We have seen the evolution of this family. In earlier Godless versions, malicious apps contain a local exploit binary called libgodlikelib.so , which uses exploit code from android-rooting-tools.
Figure 2. android-rooting-tools exploits found in libgodlike.soOnce a user downloads these malicious apps, the malware waits until the affected device’s screen is turned off before proceeds with its rooting routine.
Figure 3. Exploit initiating as screen is turned offAfter it successfully roots the device, it then drops a payload as a system app that cannot easily be removed. The payload is an AES-encrypted file called __image.
Figure 4. Payload drop routineRecently, we came across a new Godless variant that is made to only fetch the exploit and the payload from a remote command and control (C&C) server, hxxp://market[.]moboplay[.]com/softs[.]ashx. We believe that this routine is done so that the malware can bypass security checks done by app stores, such as Google Play.
Figure 5. Downloading exploit from C&C serverWe found various apps in Google Play that contain this malicious code. The malicious apps we’ve seen that have this new remote routine range from utility apps like flashlights and Wi-Fi apps, to copies of popular games. For example, a malicious flashlight app in Google Play called “Summer Flashlight” contained the malicious Godless code:
Figure 6. Sample of malicious appWe have also seen a large amount of clean apps on Google Play that has corresponding malicious versions—they share the same developer certificate—in the wild. The versions on Google Play do not have the malicious code. Thus, there is a potential risk that users with non-malicious apps will be upgraded to the malicious versions without them knowing about apps’ new malicious behavior. Note that updating apps outside of Google Play is a violation of the store’s terms and conditions.
Figure 7. Clean and malicious versions from the same authorPayload Earlier Godless variants drop a system app that implements a standalone Google Play client. This payload steals affected Google credentials in order to download and install apps from the said app store. Users may then receive unwanted apps “promoted” by the payload. Another purpose of this routine is to fraudulently improve certain apps’ Google Play ranking. As for the latest variant (which remotely fetches the payload), currently, the attack installs a backdoor with root access in order to silently install apps on affected devices. Best Practices There is absolutely nothing wrong with rooting one’s mobile device. It can have several benefits in terms automation, performance, and basically getting the most out of a device. But when a malware roots a phone without a one’s knowledge, that’s where the fun stops. When downloading apps, regardless if it’s a utility tool or a popular game, users should always review the developer. Unknown developers with very little or no background information may be the source of these malicious apps. And as a general rule, it is always best to download apps from trusted stores such as Google Play and Amazon. Users should also have secure mobile security that can mitigate mobile malware. Trend Micro Mobile Security Personal Edition and Mobile Security Solutions detect all related threats in this attack. The SHA1 hashes related to this threat can be found in this appendix. We have also informed Google about the related apps found in their store and they have taken appropriate action.